fbpx

Utilize AWS CloudTrail Lake complex questions to look into security events.

This forum article demonstrates how to evaluate CloudTrail activity across AWS Organizations in the event of a security incident using the capabilities provided by the cloud-trace lake. While we look into CloudTrail activity, we’ll’ll walk you through two security-related scenarios. You can thoroughly understand the tragedy and its relevance by using the system I’ve’ve described in this post to aid in the investigation process. For accounting, security investigation, and functional troubleshooting, CloudTrail Lake is a managed audit and security lake that enables you to combine, indelibly shops and question your activity logs.

 <h2>Prerequisites</h2> <p>You must have the following AWS services enabled before you start the investigation.</p> <ul> <li><strong>CloudTrail Lake</strong> — To learn how to enable this service and use sample queries, see the blog post <a href="https://aws.amazon.com/blogs/mt/announcing-aws-cloudtrail-lake-a-managed-audit-and-security-lake/" target="_blank" rel="noopener">Announcing AWS CloudTrail Lake – a managed audit and security Lake</a>. When you create a new event data store at the organization level, you will need to enable CloudTrail Lake for all of the accounts in the organization. We advise that you include not only management events but also data events. <p>When you use CloudTrail Lake with AWS Organizations, you can designate an account within the organization to be the CloudTrail Lake <a href="https://aws.amazon.com/about-aws/whats-new/2022/11/aws-cloudtrail-delegated-account-support-aws-organizations/" target="_blank" rel="noopener">delegated administrator</a>. This provides a convenient way to perform queries from a designated AWS security account—for example, you can avoid granting access to your AWS management account.</p> </li> <li><strong>Amazon GuardDuty</strong> — This is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. To learn about the benefits of the service and how to get started, see <a href="https://aws.amazon.com/guardduty/" target="_blank" rel="noopener">Amazon GuardDuty</a>.</li> </ul> <h2>Incident scenario 1: AWS access keys compromised</h2> <p>In the first scenario, you have observed activity within your AWS account from an unauthorized party. This example covers a situation where a threat actor has obtained and misused one of your AWS access keys that was exposed publicly by mistake. This investigation starts after <a href="https://aws.amazon.com/guardduty/" target="_blank" rel="noopener">Amazon GuardDuty</a> generates an <a href="https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html" target="_blank" rel="noopener">IAM finding</a> identifying that the malicious activity came from the exposed AWS access key. Following the Incident Response Playbook <a href="https://github.com/aws-samples/aws-customer-playbook-framework/blob/main/docs/Compromised_IAM_Credentials.md" target="_blank" rel="noopener">Compromised IAM Credentials</a>, focusing on step 12 in the playbook ([DETECTION AND ANALYSIS] Review CloudTrail Logs), you will use CloudTrail Lake capabilities to investigate the activity that was performed with this key. To do so, you will use the following nine query examples that we provide for this first scenario.</p> <h3>Query 1.1: Activity performed by access key during a specific time window</h3> <p>The first query is aimed at obtaining the specific activity that was performed by this key, either successfully or not, during the time the malicious activity took place. You can use the GuardDuty finding <a href="https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Service.html" target="_blank" rel="noopener">details</a> “EventFirstSeen” and “EventLastSeen” to define the time window of the query. Also, and for further queries, you want to fetch artifacts that could be considered possible <a href="https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/use-indicators-of-compromise.html" target="_blank" rel="noopener">indicators of compromise (IoC)</a> related to this security incident, such as IP addresses.</p> <p>You can build and run the following query on CloudTrail Lake Editor, either in the <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-create-edit-query.html" target="_blank" rel="noopener">CloudTrail console</a> or <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-lake-cli.html" target="_blank" rel="noopener">programmatically</a>.</p> <h4>Query 1.1</h4> <div class="hide-language"> <code>
SELECT eventSource,eventName,sourceIPAddress,eventTime,errorCode FROM 1994bee2-d4a0-460e-8c07-1b5ee04765d8 WHERE userIdentity.accessKeyId = 'AKIAIOSFODNN7EXAMPLE' AND eventTime > '2022-03-15 13:10:00' AND eventTime < '2022-03-16 00:00:00' order by eventTime;</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_28998" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28998" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img1-1024x543-1.png" alt="Figure 1: Sample query 1.1 and results in the AWS Management Console" width="760" class="size-large wp-image-28998"> <p id="caption-attachment-28998" class="wp-caption-text">Figure 1: Sample query 1.1 and results in the AWS Management Console</p> </div> <p>The results demonstrate that the activity performed by the access key tried to unsuccessfully list Amazon Simple Storage Services (Amazon S3) buckets and CloudTrail trails. You can also see specific write activity related to <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener">AWS Identity and Access Management (IAM)</a> that was denied, and afterwards there was activity possibly related to <a href="https://attack.mitre.org/tactics/TA0043/" target="_blank" rel="noopener">reconnaissance</a> tactics in IAM to finally be able to assume a role, which indicates a possible attempt to perform an <a href="https://attack.mitre.org/tactics/TA0004/" target="_blank" rel="noopener">escalation of privileges</a>. You can observe only one source IP from which this activity was performed.</p> <h3>Query 1.2: Confirm which IAM role was assumed by the threat actor during a specific time window</h3> <p>As you observed from the previous query results, the threat actor was able to assume an IAM role. In this query, you would like to confirm which IAM role was assumed during the security incident.</p> <h4>Query 1.2</h4> <div class="hide-language"> <code>
SELECT requestParameters,responseElements FROM 1994bee2-d4a0-460e-8c07-1b5ee04765d8 WHERE eventName = 'AssumeRole' AND eventTime > '2022-03-15 13:10:00' AND eventTime < '2022-03-16 00:00:00' AND userIdentity.accessKeyId = 'AKIAIOSFODNN7EXAMPLE'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29003" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29003" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img2-1024x500-1.png" alt="Figure 2: Sample query 1.2 and results in the console" width="760" class="size-large wp-image-29003"> <p id="caption-attachment-29003" class="wp-caption-text">Figure 2: Sample query 1.2 and results in the console</p> </div> <p>The results show that an IAM role named “Alice” was assumed in a second account. For future queries, keep the temporary access key from the <em>responseElements</em> result to obtain activity performed by this role session.</p> <h3>Query 1.3: Activity performed from an IP address in an expanded time window search</h3> <p>Investigating the incident only from the time of discovery may result in overlooking signs or indicators of potential past incidents that were not detected related to this threat actor. For this reason, you want to expand the investigation window time, which might result in expanding the search back weeks, months, or even years, depending on factors such as the nature and severity of the incident, available resources, and so on. In this example, for balance and urgency, the window of time searched is expanded to a month. You want to also review whether there is past activity related to this account by the IP you previously observed.</p> <h4>Query 1.3</h4> <p>The results of the query are as follows:</p> <div class="hide-language"> <code>
SELECT eventSource,eventName,sourceIPAddress,eventTime,errorCode FROM 1994bee2-d4a0-460e-8c07-1b5ee04765d8 WHERE sourceIPAddress = '192.0.2.76' AND useridentity.accountid = '555555555555 AND eventTime > '2022-02-15 13:10:00' AND eventTime < '2022-03-15 13:10:00' order by eventTime;</code> </div> <div id="attachment_29017" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29017" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img3-1024x454-1.png" alt="Figure 3: Sample query 1.3 and results in the console" width="760" class="size-large wp-image-29017"> <p id="caption-attachment-29017" class="wp-caption-text">Figure 3: Sample query 1.3 and results in the console</p> </div> <p>As you can observe from the results, there is no activity coming from this IP address in this account in the previous month.</p> <h3>Query 1.4: Activity performed from an IP address in any other account in your organization during a specific time window</h3> <p>Before you start investigating what activity was performed by the role assumed in the second account, and considering that this malicious activity now involves cross-account access, you will want to review whether any other account in your organization has activity related to the specific IP address observed. You will need to expand the window of time to an entire month in order to see if previous activity was performed before this incident from this source IP, and you will need to exclude activity coming from the first account.</p> <h4>Query 1.4</h4> <div class="hide-language"> <code>
SELECT useridentity.accountid,eventTime FROM 1994bee2-d4a0-460e-8c07-1b5ee04765d8 WHERE sourceIPAddress = '192.0.2.76' AND eventTime > '2022-02-15 13:10:00' AND eventTime < '2022-03-16 00:00:00' AND useridentity.accountid != '555555555555'GROUP by useridentity.accountid</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29018" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29018" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img4-1024x499-1.png" alt="Figure 4: Sample query 1.4 and results in the console" width="760" class="size-large wp-image-29018"> <p id="caption-attachment-29018" class="wp-caption-text">Figure 4: Sample query 1.4 and results in the console</p> </div> <p>As you can observe from the results, there is activity only in the second account where the role was assumed. You can also confirm that there was no activity performed in other accounts in the previous month from this IP address.</p> <h3>Query 1.5: Count activity performed by an IAM role during a specific time period</h3> <p>For the next query example, you want to count and group activity based on the API actions that were performed in each service by the role assumed. This query helps you quantify and understand the impact of the possible unauthorized activity that might have happened in this second account.</p> <h4>Query 1.5</h4> <div class="hide-language"> <code>
SELECT count (*) as NumberEvents, eventSource, eventName
FROM 1994bee2-d4a0-460e-8c07-1b5ee04765d8 WHERE eventTime > '2022-03-15 13:10:00' AND eventTime < '2022-03-16 00:00:00' AND useridentity.type = 'AssumedRole' AND useridentity.sessioncontext.sessionissuer.arn = 'arn:aws:iam::111122223333:role/Alice'
GROUP by eventSource, eventName
order by NumberEvents desc;</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29019" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29019" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img5-1024x682-1.png" alt="Figure 5: Sample query 1.5 and results in the console" width="760" class="size-large wp-image-29019"> <p id="caption-attachment-29019" class="wp-caption-text">Figure 5: Sample query 1.5 and results in the console</p> </div> <p>You observe that the activity is consistent with what was shown in the first account, and the threat actor seems to be targeting trails, S3 buckets, and IAM activity related to possible further escalation of privileges.</p> <h3>Query 1.6: Confirm successful activity performed by an IAM role during a specific time window</h3> <p>Following the example in query 1.1, you will fetch the information related to activity that was successful or denied. This helps you confirm modifications that took place in the environment, or the creation of new resources. For this example, you will also want to obtain the event ID in case you need to dig further into one specific API call. You will then filter out activity done by any other session by using the temporary access key obtained from query 1.2.</p> <h4>Query 1.6</h4> <div class="hide-language"> <code>
SELECT eventSource, eventName, eventTime, eventID, errorCode FROM 1994bee2-d4a0-460e-8c07-1b5ee04765d8 WHERE eventTime > '2022-03-15 13:10:00' AND eventTime < '2022-03-16 00:00:00' AND useridentity.type = 'AssumedRole' AND useridentity.sessioncontext.sessionissuer.arn = 'arn:aws:iam::111122223333:role/Alice' AND userIdentity.accessKeyId = 'ASIAZNYXHMZ37EXAMPLE '</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29020" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29020" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img6-1024x631-1.png" alt="Figure 6: Sample query 1.6 and results in the console" width="760" class="size-large wp-image-29020"> <p id="caption-attachment-29020" class="wp-caption-text">Figure 6: Sample query 1.6 and results in the console</p> </div> <p>You can observe that the threat actor was again not able to perform activity upon the trails, S3 buckets, or IAM roles. But as you can see, the threat actor was able to perform specific IAM activity, which led to the creation of a new IAM user, policy attachment, and access key.</p> <h3>Query 1.7: Obtain new access key ID created</h3> <p>By making use of the event ID from the CreateAccesskey event displayed in the previous query, you can obtain the access key ID so that you can further dig into what activity was performed by it.</p> <h4>Query 1.7</h4> <div class="hide-language"> <code>
SELECT responseElements FROM 1994bee2-d4a0-460e-8c07-1b5ee04765d8 WHERE eventID = 'bd29bab7-1153-4510-9e7f-9ff9bba4bd9a'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29021" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29021" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img7.png" alt="Figure 7: Sample query 1.7 and results in the console" width="760" class="size-full wp-image-29021"> <p id="caption-attachment-29021" class="wp-caption-text">Figure 7: Sample query 1.7 and results in the console</p> </div> <h3>Query 1.8: Obtain successful API activity that was performed by the access key during a specific time window</h3> <p>Following previous examples, you will count and group the API activity that was successfully performed by this access key ID. This time, you will exclude denied activity in order to understand the activity that actually took place.</p> <h4>Query 1.8</h4> <div class="hide-language"> <code>
SELECT count (*) as NumberEvents, eventSource, eventName
FROM 1994bee2-d4a0-460e-8c07-1b5ee04765d8 WHERE eventTime > '2022-03-15 13:10:00' AND eventTime < '2022-03-16 00:00:00' AND
userIdentity.accessKeyId = 'AKIAI44QH8DHBEXAMPLE' AND errorcode IS NULL
GROUP by eventSource, eventName
order by NumberEvents desc;</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29022" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29022" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img8.png" alt="Figure 8: Sample query 1.8 and results in the console" width="760" class="size-full wp-image-29022"> <p id="caption-attachment-29022" class="wp-caption-text">Figure 8: Sample query 1.8 and results in the console</p> </div> <p>You can observe that this time, the threat actor was able to perform specific activities targeting your trails and buckets due to privilege escalation. In these results, you observe that a trail was successfully stopped, and S3 objects were downloaded and deleted.</p> <p>You can also see bucket deletion activity. At first glance, this might indicate activity related to a data exfiltration scenario in the case where the bucket was not properly secured, and possible future ransom demands could be made if proper preventive controls and measures to recover the data were not in place. For more details on this scenario, see this <a href="https://aws.amazon.com/blogs/security/anatomy-of-a-ransomware-event-targeting-data-in-amazon-s3/" target="_blank" rel="noopener">AWS Security blog post</a>.</p> <h3>Query 1.9: Obtain bucket and object names affected during a specific time window</h3> <p>After you obtain the activities on the S3 buckets by using sample query 1.8, you can use the following query to show what objects this activity was related to, and from which buckets. You can expand the query to exclude denied activity.</p> <h4>Query 1.9</h4> <div class="hide-language"> <code>
SELECT element_at(requestParameters, 'bucketName') as BucketName, element_at(requestParameters, 'key') as ObjectName, eventName FROM 1994bee2-d4a0-460e-8c07-1b5ee04765d8 WHERE (eventName = 'GetObject' OR eventName = 'DeleteObject') AND eventTime > '2022-03-15 13:10:00' AND eventTime < '2022-03-16 00:00:00' AND userIdentity.accessKeyId = 'AKIAI44QH8DHBEXAMPLE' AND errorcode IS NULL</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29023" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29023" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img9.png" alt="Figure 9: Sample query 1.9 and results in the console" width="760" class="size-full wp-image-29023"> <p id="caption-attachment-29023" class="wp-caption-text">Figure 9: Sample query 1.9 and results in the console</p> </div> <p>As you can observe, the unauthorized user was able to first obtain and exfiltrate S3 objects, and then delete them afterwards.</p> <h3>Summary of incident scenario 1</h3> <p>This scenario describes a security incident involving a publicly exposed AWS access key that is exploited by a threat actor. Here is a summary of the steps taken to investigate this incident by using CloudTrail Lake capabilities:</p> <ul> <li>Investigated AWS activity that was performed by the compromised access key</li> <li>Observed possible adversary tactics and techniques that were used by the threat actor</li> <li>Collected artifacts that could be potential indicators of compromise (IoC), such as IP addresses</li> <li>Confirmed role assumption by the threat actor in a second account</li> <li>Expanded the time window of your investigation and the scope to your entire organization in AWS Organizations; and searched for any activity that might have taken place originating from the IP address related to the unauthorized activity</li> <li>Investigated AWS activity that was performed by the role assumed in the second account</li> <li>Identified new resources that were created by the threat actor, and malicious activity performed by the actor</li> <li>Confirmed the modifications caused by the threat actor and their impact in your environment</li> </ul> <h2>Incident scenario 2: AWS IAM Identity Center user credentials compromised</h2> <p>In this second scenario, you start your investigation from a GuardDuty finding stating that an <a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener">Amazon Elastic Compute Cloud (Amazon EC2)</a> instance is querying an IP address that is associated with cryptocurrency-related activity. There are several sources of logs that you might want to explore when you conduct this investigation, including network, operation system, or application logs, among others. In this example, you will use CloudTrail Lake capabilities to investigate API activity logged in CloudTrail for this security event. To understand what exactly happened and when, you start by querying information from the resource involved, in this case an EC2 instance, and then continue digging into the <a href="https://docs.aws.amazon.com/singlesignon/" target="_blank" rel="noopener">AWS IAM Identity Center (successor to AWS Single Sign-On)</a> credentials that were used to launch that EC2 instance, to finally confirm what other actions were performed.</p> <h3>Query 2.1: Confirm who has launched the EC2 instance involved in the cryptocurrency-related activity</h3> <p>You can begin by looking at the finding <a href="https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolb" target="_blank" rel="noopener">CryptoCurrency:EC2/BitcoinTool.B</a> to get more information related to this event, for example <em>when</em> (timestamp), <em>where</em> (AWS account and AWS Region), and also <em>which</em> resource (EC2 instance ID) was involved with the security incident and when it was launched. With this information, you can perform the first query for this scenario, which will confirm what type of user credentials were used to launch the instance involved.</p> <h4>Query 2.1</h4> <div class="hide-language"> <code>
SELECT userIdentity.principalid, eventName, eventTime, recipientAccountId, awsRegion FROM 467f2e52-84b9-4d41-8049-bc8f8fad35dd
WHERE responseElements IS NOT NULL AND
element_at(responseElements, 'instancesSet') like '%"instanceId":"i-053a7e6164c0f0473"%' AND
eventTime > '2022-09-13 12:45:59' AND eventName='RunInstances'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29024" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29024" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img10-1024x561-1.png" alt="Figure 10: Sample query 2.1 and results in the console" width="760" class="size-large wp-image-29024"> <p id="caption-attachment-29024" class="wp-caption-text">Figure 10: Sample query 2.1 and results in the console</p> </div> <p>The results demonstrate that the IAM Identity Center user as principal ID <span>AROASVPO5CIEXAMPLE:alice@example.com</span> was used to launch the EC2 instance that was involved in the incident.</p> <h3>Query 2.2: Confirm in which AWS accounts the IAM Identity Center user has federated and authenticated</h3> <p>You want to confirm which AWS accounts this specific IAM Identity Center user has federated and authenticated with, and also which IAM role was assumed. This is important information to make sure that the security event happened only within the affected AWS account. The window of time for this query is based on the maximum value for the permission sets’ <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html" target="_blank" rel="noopener">session duration</a> in IAM Identity Center.</p> <h4>Query 2.2</h4> <div class="hide-language"> <code>
SELECT element_at(serviceEventDetails, 'account_id') as AccountID, element_at(serviceEventDetails, 'role_name') as SSORole, eventID, eventTime FROM 467f2e52-84b9-4d41-8049-bc8f8fad35dd WHERE eventSource = 'sso.amazonaws.com' AND eventName = 'Federate' AND userIdentity.username = 'alice@example.com' AND eventTime > '2022-09-13 00:00:00' AND eventTime < '2022-09-14 00:00:00'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29025" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29025" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img11-1024x560-1.png" alt="Figure 11: Sample query 2.2 and results in the console" width="760" class="size-large wp-image-29025"> <p id="caption-attachment-29025" class="wp-caption-text">Figure 11: Sample query 2.2 and results in the console</p> </div> <p>The results show that only one AWS account has been accessed during the time of the incident, and only one AWS role named AdministratorAccess has been used.</p> <h3>Query 2.3: Count and group activity based on API actions that were performed by the user in each AWS service</h3> <p>You now know exactly where the user has gained access, so next you can count and group the activity based on the API actions that were performed in each AWS service. This information helps you confirm the types of activity that were performed.</p> <h4>Query 2.3</h4> <div class="hide-language"> <code>
SELECT eventSource, eventName, COUNT(*) AS apiCount
FROM 467f2e52-84b9-4d41-8049-bc8f8fad35dd
WHERE userIdentity.principalId = 'AROASVPO5CIEXAMPLE:alice@example.com'
AND eventTime > '2022-09-13 00:00:00' AND eventTime < '2022-09-14 00:00:00'
GROUP BY eventSource, eventName ORDER BY apiCount DESC</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29026" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29026" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img12-1024x838-1.png" alt="Figure 12: Sample query 2.3 and results in the console" width="760" class="size-large wp-image-29026"> <p id="caption-attachment-29026" class="wp-caption-text">Figure 12: Sample query 2.3 and results in the console</p> </div> <p>You can see that the list of APIs includes the read activities <span>Get</span>, <span>Describe</span>, and <span>List</span>. This activity is commonly associated with the discovery stage, when the unauthorized user is gathering information to determine credential permissions.</p> <h3>Query 2.4: Obtain mutable activity based on API actions performed by the user in each AWS service</h3> <p>To get a better understanding of the mutable actions performed by the user, you can add a new condition to hide the read-only actions by setting the <span>readOnly</span> parameter to false. You will want to focus on mutable actions to know whether there were new AWS resources created or if existing AWS resources were deleted or modified. Also, you can add the possible error code from the response element to the query, which will tell you if the actions were denied.</p> <h4>Query 2.4</h4> <div class="hide-language"> <code>
SELECT eventSource, eventName, eventTime, eventID, errorCode
FROM 467f2e52-84b9-4d41-8049-bc8f8fad35dd
WHERE userIdentity.principalId = 'AROASVPO5CIEXAMPLE:alice@example.com'
AND readOnly = false
AND eventTime > '2022-09-13 00:00:00' AND eventTime < '2022-09-14 00:00:00'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29027" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29027" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img13-1024x781-1.png" alt="Figure 13: Sample query 2.4 and results in the console" width="760" class="size-large wp-image-29027"> <p id="caption-attachment-29027" class="wp-caption-text">Figure 13: Sample query 2.4 and results in the console</p> </div> <p>You can confirm that some actions, like EC2 <span>RunInstances</span>, EC2 <span>CreateImage</span>, SSM <span>StartSession</span>, IAM <span>CreateUser</span>, and IAM <span>PutRolePolicy</span> were allowed. And in contrast, IAM <span>CreateAccessKey</span>, IAM <span>CreateRole</span>, IAM <span>AttachRolePolicy</span>, and GuardDuty <span>DeleteDetector</span> were denied. The IAM-related denied actions are commonly associated with <a href="https://attack.mitre.org/tactics/TA0003/" target="_blank" rel="noopener">persistence tactics</a>, where an unauthorized user may <a href="https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html" target="_blank" rel="noopener">try to maintain access</a> to the environment. The GuardDuty denied action is commonly associated with <a href="https://attack.mitre.org/tactics/TA0005/" target="_blank" rel="noopener">defense evasion tactics</a>, where the unauthorized user is trying to cover their tracks and avoid detection.</p> <h3>Query 2.5: Obtain more information about API action EC2 RunInstances</h3> <p>You can focus first on the API action EC2 <span>RunInstances</span> to understand how many EC2 instances were created by the same user. This information will confirm which other EC2 instances were involved in the security event.</p> <h4>Query 2.5</h4> <div class="hide-language"> <code>
SELECT awsRegion, recipientAccountId, eventID, element_at(responseElements, 'instancesSet') as instances
FROM 467f2e52-84b9-4d41-8049-bc8f8fad35dd
WHERE userIdentity.principalId = 'AROASVPO5CIEXAMPLE:alice@example.com'
AND eventName='RunInstances'
AND eventTime > '2022-09-13 00:00:00' AND eventTime < '2022-09-14 00:00:00'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29028" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29028" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img14-1024x625-1.png" alt="Figure 14: Sample query 2.5 and results in the console" width="760" class="size-large wp-image-29028"> <p id="caption-attachment-29028" class="wp-caption-text">Figure 14: Sample query 2.5 and results in the console</p> </div> <p>You can confirm that the API was called twice, and if you expand the column <strong>InstanceSet</strong> in the response element, you will see the exact number of EC2 instances that were launched. Also, you can find that these EC2 instances were launched with an IAM instance profile called <em>ec2-role-ssm-core</em>. By checking in the IAM console, you can confirm that the IAM role associated has only the AWS managed policy <em>AmazonSSMManagedInstanceCore</em> attached, which enables <a href="https://aws.amazon.com/systems-manager/" target="_blank" rel="noopener">AWS Systems Manager</a> core functionality.</p> <h3>Query 2.6: Get the list of denied API actions performed by the user for each AWS service</h3> <p>Now, you can filter more to focus only on those denied API actions by performing the following query. This is important because it can help you to identify what kind of malicious event was attempted.</p> <h4>Query 2.6</h4> <div class="hide-language"> <code>
SELECT recipientAccountId, awsRegion, eventSource, eventName, eventID, eventTime
FROM 467f2e52-84b9-4d41-8049-bc8f8fad35dd
WHERE userIdentity.principalId = 'AROASVPO5CIEXAMPLE:alice@example.com'
AND errorCode = 'AccessDenied'
AND eventTime > '2022-09-13 00:00:00' AND eventTime < '2022-09-14 00:00:00'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29029" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29029" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img15-1024x634-1.png" alt="Figure 15: Sample query 2.6 and results in the console" width="760" class="size-large wp-image-29029"> <p id="caption-attachment-29029" class="wp-caption-text">Figure 15: Sample query 2.6 and results in the console</p> </div> <p>You can see that the user has tried to stop GuardDuty by calling <span>DeleteDetector</span>, and has also performed actions within IAM that you should examine more closely to know if new unwanted access to the environment was created.</p> <h3>Query 2.7: Obtain more information about API action IAM CreateUserAccessKeys</h3> <p>With the previous query, you confirmed that more actions were denied within IAM. You can now focus on the failed attempt to create IAM user access keys that could have been used to gain persistent and programmatic access to the AWS account. With the following query, you can make sure that the actions were denied and determine the reason why.</p> <h4>Query 2.7</h4> <div class="hide-language"> <code>
SELECT recipientAccountId, awsRegion, eventID, eventTime, errorCode, errorMessage
FROM 467f2e52-84b9-4d41-8049-bc8f8fad35dd
WHERE userIdentity.principalId = 'AROASVPO5CIEXAMPLE:alice@example.com'
AND eventName='CreateAccessKey'
AND eventTime > '2022-09-13 00:00:00' AND eventTime < '2022-09-14 00:00:00'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29030" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29030" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img16-1024x625-1.png" alt="Figure 16: Sample query 2.7 and results in the console" width="760" class="size-large wp-image-29030"> <p id="caption-attachment-29030" class="wp-caption-text">Figure 16: Sample query 2.7 and results in the console</p> </div> <p>If you copy the <span>errorMessage</span> element from the response, you can confirm that the action was denied by a service control policy, as shown in the following example.</p> <div class="hide-language"> <code>
"errorMessage":"User: arn:aws:sts::111122223333:assumed-role/AWSReservedSSO_AdministratorAccess_f53d10b0f8a756ac/alice@example.com is not authorized to perform: iam:CreateAccessKey on resource: user production-user with an explicit deny in a service control policy"</code> </div> <h3>Query 2.8: Obtain more information about API IAM CreateUser</h3> <p>From the query error message in query 2.7, you can confirm the name of the IAM user that was used. Now you can check the allowed API action IAM <span>CreateUser</span> that you observed before to see if the IAM users match. This helps you confirm that there were no other IAM users involved in the security event.</p> <h4>Query 2.8</h4> <div class="hide-language"> <code>
SELECT recipientAccountId, awsRegion, eventID, eventTime, element_at(responseElements, 'user') as userInfo
FROM 467f2e52-84b9-4d41-8049-bc8f8fad35dd
WHERE userIdentity.principalId = 'AROASVPO5CIEXAMPLE:alice@example.com'
AND eventName='CreateUser'
AND eventTime > '2022-09-13 00:00:00' AND eventTime < '2022-09-14 00:00:00'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29031" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29031" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img17-1024x621-1.png" alt="Figure 17: Sample query 2.8 and results in the console" width="760" class="size-large wp-image-29031"> <p id="caption-attachment-29031" class="wp-caption-text">Figure 17: Sample query 2.8 and results in the console</p> </div> <p>Based on this output, you can confirm that the IAM user is indeed the same. This user was created successfully but was denied the creation of access keys, confirming the failed attempt to get new persistent and programmatic credentials.</p> <h3>Query 2.9: Get more information about the IAM role creation attempt</h3> <p>Now you can figure out what happened with the IAM <span>CreateRole</span> denied action. With the following query, you can see the full error message for the denied action.</p> <h4>Query 2.9</h4> <div class="hide-language"> <code>
SELECT recipientAccountId, awsRegion, eventID, eventTime, errorCode, errorMessage
FROM 467f2e52-84b9-4d41-8049-bc8f8fad35dd
WHERE userIdentity.principalId = 'AROASVPO5CIEXAMPLE:alice@example.com'
AND eventName='CreateRole'
AND eventTime > '2022-09-13 00:00:00' AND eventTime < '2022-09-14 00:00:00'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29032" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29032" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img18-1024x627-1.png" alt="Figure 18: Sample query 2.9 and results in the console" width="760" class="size-large wp-image-29032"> <p id="caption-attachment-29032" class="wp-caption-text">Figure 18: Sample query 2.9 and results in the console</p> </div> <p>If you copy the output of this query, you will see that the role was denied by a service control policy, as shown in the following example:</p> <div class="hide-language"> <code>
"errorMessage":"User: arn:aws:sts::111122223333:assumed-role/AWSReservedSSO_AdministratorAccess_f53d10b0f8a756ac/alice@exmple.com is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::111122223333:role/production-ec2-role with an explicit deny in a service control policy"</code> </div> <h3>Query 2.10: Get more information about IAM role policy changes</h3> <p>With the previous query, you confirmed that the unauthorized user failed to create a new IAM role to replace the existing EC2 instance profile in an attempt to grant more permissions. And with another of the previous queries, you confirmed that the IAM API action <span>AttachRolePolicy</span> was also denied, in another attempt for the same goal, but this time trying to attach a new AWS managed policy directly. However, with this new query, you can confirm that the unauthorized user successfully applied an inline policy to the EC2 role associated with the existing EC2 instance profile, with full admin access.</p> <h4>Query 2.10</h4> <div class="hide-language"> <code>
SELECT recipientAccountId, eventID, eventTime, element_at(requestParameters, 'roleName') as roleName, element_at(requestParameters, 'policyDocument') as policyDocument FROM 467f2e52-84b9-4d41-8049-bc8f8fad35dd WHERE userIdentity.principalId = 'AROASVPO5CIEXAMPLE:alice@example.com' AND eventName = 'PutRolePolicy' AND eventTime > '2022-09-13 00:00:00' AND eventTime < '2022-09-14 00:00:00'</code> </div> <p>The results of the query are as follows:</p> <div id="attachment_29033" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29033" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img19-1024x625-1.png" alt="Figure 19: Sample query 2.10 and results in the console" width="760" class="size-large wp-image-29033"> <p id="caption-attachment-29033" class="wp-caption-text">Figure 19: Sample query 2.10 and results in the console</p> </div> <h3>Summary of incident scenario 2</h3> <p>This second scenario describes a security incident that involves an IAM Identity Center user that has been compromised. To investigate this incident by using CloudTrail Lake capabilities, you did the following:</p> <ul> <li>Started the investigation by looking at metadata from the GuardDuty EC2 finding</li> <li>Confirmed the AWS credentials that were used for the creation of that resource</li> <li>Looked at whether the IAM Identity Center user credentials were used to access other AWS accounts</li> <li>Did further investigation on the AWS APIs that were called by the IAM Identity Center user</li> <li>Obtained the list of denied actions, confirming the unauthorized user’s attempt to get persistent access and cover their tracks</li> <li>Obtained the list of EC2 resources that were successfully created in this security event</li> </ul> <h2>Conclusion</h2> <p>In this post, we’ve shown you how to use AWS CloudTrail Lake capabilities to investigate CloudTrail activity in response to security incidents across your organization. We also provided sample queries for two security incident scenarios. You now know how to use the capabilities of CloudTrail Lake to assist you and your security teams during the investigation process in a security incident. Additionally, you can find some of the sample queries related to this post and other topics in the following <a href="https://github.com/aws-samples/cloud-trail-lake-query-samples" target="_blank" rel="noopener">GitHub repository</a>, and additional examples in the sample queries tab in the <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-lake-examples.html" target="_blank" rel="noopener">CloudTrail console</a>. To learn more, see <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html" target="_blank" rel="noopener">Working with CloudTrail Lake</a> in the CloudTrail User Guide.</p> <p>Regarding pricing for CloudTrail Lake, you pay for ingestion and storage together, where the billing is based on the amount of uncompressed data ingested. If you’re a new customer, you can try AWS CloudTrail Lake for a 30-day free trial or when you reach the free usage limits of 5GB of data. For more information, see see <a href="https://aws.amazon.com/cloudtrail/pricing/" target="_blank" rel="noopener">AWS CloudTrail pricing</a>.</p> <p>Finally, in combination with the investigation techniques shown in this post, we also recommend that you explore the use of <a href="https://aws.amazon.com/detective/" target="_blank" rel="noopener">Amazon Detective</a>, an AWS managed and dedicated service that simplifies the investigative process and helps security teams conduct faster and more effective investigations. With the Amazon Detective prebuilt data aggregations, summaries, and context, you can quickly analyze and determine the nature and extent of possible security issues.</p> <p> <br>If you have feedback about this post, submit comments in the<strong> Comments</strong> section below. If you have questions about this post, <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p> <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> <!-- '"` -->